Privacy is Science not Art

The CEO of the International Association of Privacy Professionals, (IAPP) Trevor Hughes gave a talk at the Boston Bar Association’s Privacy & Security Summit earlier this year in which he examined the evolution of “privacy” through the lens of art. He highlighted the way privacy has impacted the world, values, and contemporary mores as reflected in the art of a particular time – going all the way back to a painting of the Garden of Eden which depicted likely the oldest symbol of privacy, a fig leaf. It was a really interesting talk. Recently, I had the opportunity to come speak to the leadership team of the IAPP at their annual retreat in Maine and something struck me as we discussed the IAPP’s role, strategy and future. Privacy may be interestingly linked to art as Trevor noted in his talk – but data privacy is increasingly becoming less art and more science.

Look no further than the emerging field of “data science” which is absolutely white hot. Just try finding (and affording) skilled data scientists to hire these days! Additionally, technology that utilizes “Artificial Intelligence” and/or “Machine Learning” is uber en vogue. There’s a tendency for companies that are out pitching for venture capital or trying to move the needle with stock analysts, to highlight uses of AI/ML and data science to prove that a company has a forward-looking view, worthy of investment and attention.

As these concepts proliferate inside technology companies, it should be no surprise that these are the practices upon which current and future data privacy features and tools are being constructed. For example, data science literally underpins the creation of the tools designed to effectuate data subject rights under the EU’s General Data Protection Regulation (GDPR) that became effective in May of 2018.

There’s another critically important area that is proving more science than art as well: security. In fact, I once asked a CPO of a public company this question: “What are the most important factors you consider when examining a vendor who will store personal information?” His answer: “Security, security and security.” In addition to traditional methods and processes, AI/ML and data science are being deployed heavily in designing threat detection and neutralization technology. Privacy and security tend to get lumped together, and in today’s world, they need to be worked on distinctly, as well as collectively. And, they need to be scientifically approached. A version of the traditional scientific method (hypothesis, prediction, testing, analysis) can be applied. At SessionM we very much approach privacy by design this way. I often sit with the product team; we discuss solutions; we propose ideas; we predict how they will work; we anticipate issues; we test them with our engineering teams; and we analyze outcomes.

I do not mean to imply that data privacy no longer involves “art” or that the practice should be one where a rote set of rules are always applied with no room for creative solutions. There are often artistic and artful solutions to complex problems. My favorite and trusted privacy counsel and SessionM’s DPO are truly more artists than scientists, helping apply our scientific approach in order to paint a broad, protective canvas for our customer data and our own internal programs.

This theory will be put to the test in 2019 as we will see enforcement actions under the GDPR, and the California Consumer Privacy Act will undergo lobbying and amendment. It will be interesting to see whether the approach of regulators, lawmakers, and lobbyists will be scientific, art or some nuanced mixture.